Debian Bug report logs -
#744791
rsync: CVE-2014-2855: Daemon infinite loop when no matched user in secrets
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Mon, 14 Apr 2014 19:30:06 UTC
Severity: grave
Tags: fixed-upstream, security, upstream
Found in version rsync/3.1.0-1
Fixed in version rsync/3.1.0-3
Done: Paul Slootman <paul@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Paul Slootman <paul@debian.org>:
Bug#744791; Package src:rsync.
(Mon, 14 Apr 2014 19:30:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Paul Slootman <paul@debian.org>.
(Mon, 14 Apr 2014 19:30:11 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: rsync
Version: 3.1.0-1
Severity: grave
Tags: security upstream fixed-upstream
Hi
There is a DoS against a rsync daemon, for detail see [1,2]. There is
also an upstream fix at [3].
[1] https://bugs.launchpad.net/ubuntu/+source/rsync/+bug/1307230
[2] https://bugzilla.samba.org/show_bug.cgi?id=10551
[3] https://git.samba.org/?p=rsync.git;a=commitdiff;h=0dedfbce2c1b851684ba658861fe9d620636c56a
Regards,
Salvatore
Changed Bug title to 'rsync: CVE-2014-2855: Daemon infinite loop when no matched user in secrets' from 'rsync: Daemon infinite loop when no matched user in secrets'
Request was from Henri Salo <henri@nerv.fi>
to control@bugs.debian.org.
(Tue, 15 Apr 2014 14:21:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Paul Slootman <paul@debian.org>:
Bug#744791; Package src:rsync.
(Tue, 15 Apr 2014 14:27:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Paul Slootman <paul@debian.org>.
(Tue, 15 Apr 2014 14:27:04 GMT) (full text, mbox, link).
Message #12 received at 744791@bugs.debian.org (full text, mbox, reply):
Hi,
In meanwhile a CVE was assigned to this issue (CVE-2014-2855). Could
you please einclude this reference in your changelog when fixing the
issue? Thanks in advance.
Regards,
Salvatore
Reply sent
to Paul Slootman <paul@debian.org>:
You have taken responsibility.
(Wed, 16 Apr 2014 15:21:25 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 16 Apr 2014 15:21:25 GMT) (full text, mbox, link).
Message #17 received at 744791-close@bugs.debian.org (full text, mbox, reply):
Source: rsync
Source-Version: 3.1.0-3
We believe that the bug you reported is fixed in the latest version of
rsync, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 744791@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Paul Slootman <paul@debian.org> (supplier of updated rsync package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Wed, 16 Apr 2014 16:21:23 +0200
Source: rsync
Binary: rsync
Architecture: source amd64
Version: 3.1.0-3
Distribution: unstable
Urgency: high
Maintainer: Paul Slootman <paul@debian.org>
Changed-By: Paul Slootman <paul@debian.org>
Description:
rsync - fast, versatile, remote (and local) file-copying tool
Closes: 744791
Changes:
rsync (3.1.0-3) unstable; urgency=high
.
* fix for CVE-2014-2855 - rsync denial of service
a remote client can send an invalid username and cause an infinite CPU
loop on the server child process.
closes:#744791
* added upstream signature for uscan usage
* changed package source format to 3.0 (quilt)
Checksums-Sha1:
b8bdaa9d71ad5956b449f692c72095d63012193d 1073 rsync_3.1.0-3.dsc
e17ab7cc56a0a862f33e57dfbeb7ea32cf5a7ba9 19648 rsync_3.1.0-3.debian.tar.xz
b0e5c69dbaf2f3a030456eae62fa15966be28f2d 345006 rsync_3.1.0-3_amd64.deb
Checksums-Sha256:
fe38982081d23a825a9268a701104ff9da76eda63fe571b9c3fe883f5f204351 1073 rsync_3.1.0-3.dsc
d41ef02859a0ac5efd7d808a9b8cf5a9d19447dadc84a71ee51f8943151502cd 19648 rsync_3.1.0-3.debian.tar.xz
18fe827feeab9ae3d65f5f17e8029b7da17aadd3854afd8b50fadec189fa0c1e 345006 rsync_3.1.0-3_amd64.deb
Files:
47d87e12d5a841ec41537cfde8b11050 1073 net optional rsync_3.1.0-3.dsc
5d98d300def18a3568559a5412bfefa1 19648 net optional rsync_3.1.0-3.debian.tar.xz
b99e15c9215b97d186d5ea4d2f9e3a0e 345006 net optional rsync_3.1.0-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlNOlc4ACgkQutvvqbTW3hOB6QCfalaJXYcuXE4JE9jTUidUaVC4
fZ4An2vAkhdVMxEOvnEbsIZU52v4PlsM
=ytWf
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 15 May 2014 07:32:04 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:53:01 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon